Skip to main content

IBM Data Privacy Passports Provide Data Privacy Control

IBM Data Privacy Passports gives IBM Z users data control, no matter where it is or where it's going.

Michael Jordan, Distinguished Engineer, IBM Z Security

Michael Jordan, Distinguished Engineer, IBM Z Security, Image by Bill Bernstein

Data that was largely maintained for local use is now being shared across a multitude of platforms—such as hybrid cloud or analytic data lakes—and with external business partners. 

Because of this and the growing numbers of data privacy regulations, along with the increase in both attempted and successful breaches, it’s more important than ever to ensure data is encrypted, controlled and traceable no matter its origin or point of consumption.

Today, modern applications are often service-oriented, spanning the enterprise and hybrid multicloud environments—and requiring end-to-end data protection. Most data-security solutions, however, are siloed, leaving organizations to stitch together disparate solutions to protect data across multiple applications, environments and platforms.

As Michael Jordan, Distinguished Engineer, IBM Z* Security, explains, “Solutions available in the marketplace today are considered to be very siloed. This means that as data moves from one place to another, every transport and stop along the way is responsible for protecting the data within that environment. As a result, you end up with fragmented, not end-to-end, protection.”

The Cost of Loss

For IBM Z users, this is less of an issue, thanks to the advent of the encrypt-on-system tool, pervasive encryption for IBM Z, which was introduced with the IBM z14* and, more recently, the encrypt-everywhere IBM Data Privacy Passports, which accompanied the release of the IBM z15*. Combined with IBM Z encryption hardware, these encryption, control and traceability solutions represent a crucial defense against the loss and readability of personal and private data—which is no small issue.

  In fact, the theft of unencrypted data can be very costly. Not only can it result in hefty fines under regulations such as General Data Protection Regulation (GDPR) and the newly enacted California Consumer Privacy Act (CCPA), but also the loss of consumer faith, which can be just as or more costly than regulatory fines. 

“I always say, ‘Well, what would be your cost if you were breached? What would be the impact on your reputation? What would be the impact on your business? How much will the fines and legal actions cost?’ All of that’s going to cost a lot more than the cost of encryption,” says Cindy Compert, Distinguished Engineer and Security CTO, IBM Security.

Pervasive encryption is an example of a solution that addresses these issues. It enables IBM Z users to encrypt data at the database, data set or disk level—or in other words, encrypt everything on their systems. This includes protecting the data even after it has been moved or copied somewhere. But pervasive encryption doesn’t protect the data, the key and access to the data dynamically like Data Privacy Passports does.

With pervasive encryption, you can send a partner the data, but you also have to send them the key and then assume they’re re-encrypting the data after they’ve accessed it with the key, that they’re managing access properly and that their security policies are as good as yours. Data Privacy Passports tempers those worries by employing origin-embedded privacy control policies to determine who’s entitled to view the data and how much of it is visible.

“The idea behind Data Privacy Passports is that you can securely share information. That you can provide it at a very granular level, and that if you don't want to provide it anymore, you can take it back.”
–Cindy Compert, Distinguished Engineer and Security CTO, IBM Security

A Policy of Protection

The development of this comprehensive security solution was, in part, due to conversations between IBM Z users and IBM. As part of IBM’s thought leadership philosophy and design thinking approach, the understanding of client pain points is crucial to pushing further innovation to make sure client concerns are properly addressed.

“We already had our integrated encryption hardware, but understanding what was happening from a regulatory point of view and knowing that our clients needed to encrypt on a massive scale brought about pervasive encryption,” Jordan says. “But then we had further conversations about our clients’ needs and they’d say, ‘Pervasive encryption is great, but we’d also love to be able to encrypt and control access to data everywhere, across our multiplatform environment.’ It was conversations like those that led to the development of Data Privacy Passports.”

Data Privacy Passports is designed to ensure data is protected and tracked no matter where it travels within the enterprise and on which platform it lands, even if it’s moved due to theft by a user or systems administrator. It’s a single solution to protect data from end to end, while allowing you to enforce the appropriate use of data across the enterprise using a centralized and enforceable policy.

With a data-centric approach to ensuring data privacy, data itself is encrypted at the starting point and remains encrypted until it reaches the end point. The data stored at end and intermediate points is implicitly encrypted and managed through centralized policy decisions. This is opposed to the more typical mobile data encryption techniques, where encryption and decryption take place at each point of the network, and any data stored at end and intermediate points must be explicitly encrypted.

Data Privacy Passports acts as a secure data gateway, just under the application layer, which allows you to inject encryption directly into the applications and enforce data entitlement or the appropriate use of data. A data element itself is protected as part of a trusted data object, which includes both the encrypted data and the metadata that points back to the policy. 

This provides access control at the field level for databases being shared throughout the enterprise. You can, for example, create a data policy and, within that policy, decide who can see the data and for how long they can see it. Critically, you can also change or revoke that policy remotely in the event of a change in the security environment, such as an attempted breach or a business partner being acquired by a competitor.

“When a data admin needs to provision data, they’ll have access to the data to be able to provision it into a data lake, but they wouldn’t have access to read or view the data in the clear,” explains Jessica Doherty, offering manager, IBM Z Security. “Data Privacy Passports can protect a Db2* for z/OS* database and every row in a column can be protected independently depending on policy. Even if a copy of the data is created, the policy is copied with it, and the data maintains its protection.”

“Data Privacy Passports can protect a Db2 for z/OS database, and every row in a column can be protected independently depending on policy.”
–Jessica Doherty, offering manager, IBM Z Security

A Simple Truth

Tight control over data entitlement is a core aspect of Data Privacy Passports. Indeed, this capability goes hand in hand with encryption, ensuring both point-to-point data privacy and—crucially—data traceability and auditability from origin to consumption. This helps confirm that information is being used appropriately and only as intended.

To that end, Data Privacy Passports policies can be as granular as needed. For instance, a data scientist might have a six-month project during which they need to access the phone numbers of company customers, but area codes will suffice. 

A contextual-control policy can be developed to reflect this by masking the rest of the phone number, thereby not revealing any other personalized customer information that may be considered sensitive. If the data scientist’s six months expires, their access to the data can be revoked.

Data Privacy Passports policy-driven encryption allows selective data masking, redacting and access control to extend to the cloud. And this is no small matter. Traditionally, organizations used public clouds for the benign hosting of, for example, front-end interfaces of end-user applications.

Now, they’re increasingly pushing mission-critical workloads to hybrid clouds, whether to save money or more easily share application resources for, say, AI modeling. But this comes with obvious security pitfalls, with some organizations mistakenly assuming the cloud provider will offer data protection as part of their contract. A closer look at the small print may reveal that no such assurances are expressed or implied.

As Compert notes, “You’re responsible for the data being put out there. You’re responsible for access control and deciding who has access to that information. You have to understand the controls and realize a lot of cloud providers don’t have well-developed security capabilities, even to provide real-time audit trails of activity. That’s just a simple truth.”

Thankfully, z15 users can protect that data by hashing or redacting it prior to sending it to the cloud. This essentially means that cloud applications are only entitled to access what’s allowable, based on policies, and the other data is protected and private via encryption. 

Concurrent with this, data transactions are tracked from origin to consumption and logged, so compliance auditors can track data lineage, such as where and by whom the data is touched as it moves through the enterprise. If something is exposed, the auditors can review the audit record and see who accessed the data last, which may give them a lead on identifying the root cause. This end-to-end trackability can also be used to make sure you’re meeting your compliance obligations.

Data Privacy Passports in Short

Data Privacy Passports features include: 

  • Trusted data objects that provide data-centric protection of data, privacy and provenance
  • Data is protected at the point of extraction and is enforced at the point of consumption
  • Enforces multiple views of data from single source based on need to know
  • Policy access can be changed dynamically to revoke or entitle a user’s access to data
  • The ability to track the complete data journey, from point of origin to consumption

“We already had our integrated encryption hardware, but understanding what was happening from a regulatory point of view and knowing that our clients needed to encrypt on a massive scale brought about pervasive encryption.”
–Michael Jordan, Distinguished Engineer, IBM Z Security

One and Done

It’s a simple matter of fact that data is much more active than it used to be. The key, though, is keeping it safe from prying eyes.

For many, this meant cobbling together a mishmash of siloed encryption solutions depending on data source and data destination. This encryption model was highly complex to control and didn’t guarantee gaps in coverage during the transmittal process. It also potentially requires an expert in every encryption tool.

The IBM Z platform takes a more holistic approach to data encryption, beginning with data-on-system pervasive encryption for IBM Z and now encryption-everywhere Data Privacy Passports. This data-centric protection ensures data spreading across the enterprise is safeguarded at every point it hits and every transport mechanism in between.

“We want to make sure our clients only need to encrypt once, and they’re good to go,” Doherty says. “We don’t want them to worry about going back and forth with siloed security products. Data Privacy Passports operates in the exact opposite way. One and done.”

As data leaves the system of record, Data Privacy Passports automatically protects distributed copies of the data as they move through the enterprise, with the protection being embedded with the data. This eliminates, for example, the possibility that someone can use a copy of a copy of data to access personal information, either intentionally or accidentally. 

“The idea behind Data Privacy Passports is that you can securely share information. That you can provide it at a very granular level, and that if you don’t want to provide it anymore, you can take it back,” Compert remarks. “You can provide some information while obscuring the rest.”  

Although these ideas may sound like overkill to some, it’s quickly becoming a necessity, especially as privacy regulations become more commonplace and costs increase due to a lack of compliance. Customers are also taking privacy more seriously, and an attack on unencrypted data—no matter how large or small—can quickly sour them on an organization, further damaging the bottom line. 

In fact, an IBM-commissioned study conducted by The Harris Poll found that 64% of all consumers have opted not to work with a business out of concerns over whether they could keep their data secure (2019 IBM and Harris Poll Privacy study, September 2019: bit.ly/373H4HP).

All of this is the result of IBM’s thought leadership philosophy, much of which is driven by client communications. These conversations only further encourage IBM to innovate more thoughtfully and at a heightened pace, without sacrificing quality.

“The release of pervasive encryption may appear to have been coincident with the development of GDPR, but we knew our clients were concerned about becoming compliant,” Jordan says. “Now, they want to make sure they’re in line with whatever other regulations may come up, such as the CCPA, while also genuinely addressing their customers’ concerns about privacy. Data Privacy Passports is yet another demonstration of our goal to support our client’s goals.”

IBM Systems Webinar Icon

View upcoming and on-demand (IBM Z, IBM i, AIX, Power Systems) webinars.
Register now →